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Abstract — This paper considers a key agreement problem 
in which two parties aim to agree on a key by exchanging 
messages in the presence of adversarial tampering. The aim of 
the adversary is to disrupt the key agreement process, but there 
are no secrecy constraints (i.e. we do not insist that the key is 
kept secret from the adversary). The main results of the paper 
are coding schemes and bounds on maximum key generation 
rates for this problem. 

I. Introduction 

In many distributed collaborative algorithms or applications, 
it is required that each involved party shares a common random 
key or seed. For instance, in authentication [1] or secret 
communications [2], the client and the server may need to 
share a common private key. In another scenario, a common 
random seed may need to be shared by a group of cooperative 
users to run a distributed probabilistic algorithm. In such cases, 
key secrecy may not be important. In all of these examples 
however, it is important that each party has the same key. 

It is important to investigate methods for generation and 
distribution of random keys. For example, in one scenario, it 
may be required to "divide" a secret key into smaller pieces, 
for distribution to a group of users. The goal is to ensure that 
only legitimate groups of users, each of which holds one small 
piece of the secret, can reconstruct the secret key. This is the 
secret sharing problem [3]. In another scenario, two legitimate 
parties (and possibly an adversary) may observe correlated 
randomness. The objective is for the two parties to extract a 
common random key from their observations, by exchanging 
messages over a public channel. The goal is to ensure that an 
adversary who observes all the messages exchanged over the 
public channel has no knowledge about the agreed key [4]. 

The focus of this paper is on robust key agreement in 
the presence of adversarial tampering (i.e. the adversary can 
alter some of the messages exchanged between the legitimate 
parties during the key agreement process). We are interested 
in coding methods and key generation rates, where the only 
requirement is that the parties obtain the same key. We do not 
require that the key be kept secret from the adversary. 

One approach to this problem is for one party to simply 
generate a key and then send it to the other party. Using this 
simple approach, the key agreement problem reduces to the 
standard problem of reliable communication. To ensure the 
other party can reliably reconsttuct the key in the presence of 
noise or tampering, the sender adds redundancy in the form 
of an error correction code [5]. Recently, the error correction 
problem was studied in the context of network coding [6]. 
Although this direct communications approach is very simple, 



we shall see that its application to key agreement can be 
suboptimal. 

The organization of this paper is as follows. Section [II] 
provides the problem formulation. Section III focuses on 



zero-error key agreement, which is the worst case scenario 
assuming adversaries have unbounded computational abilities. 
Section [TV] considers a weaker adversarial model in which 
adversaries can only make certain kinds of simple attacks. 

Notations: Vectors will be denoted by bold-faced lowercase 
letters whose entries are denoted by superscripts. For example 



th 



x is the vector, x 1 is its first entry and x^'i' is the i L ' 1 to j 
entries of x. In addition, define A m (n,d) as a maximum rate 
2 m -ary code of length n and minimum Hamming distance d. 



II. Problem Formulation 

Consider a simple two-way network as depicted in Figure [T] 
Alice and Bob aim to agree on a common random key by ex- 
changing messages through the network. Eve is the adversary 
in the network, whose only objective is to prevent Alice and 
Bob from agreeing on a key. She attacks by replacing some 
of the exchanged messages. There is no requirement to keep 
the key secret from Eve. 



Alice 




Bob 



Fig. 1. A two-way network 

We will mainly consider a two-round key agreement sce- 
nario. In the first round, Alice generates n\ message vec- 
tors, xi, . . . , x ni . Assume without loss of generality that all 
messages are binary vectors of length m. These are sent to 
Bob using the n\ forward links (one for each message). Eve 
observes the messages and can replace some of them with 
messages of her own choosing. Let the n\ messages received 
by Bob be denoted xi, . . . x ni . 

In the second round, after receiving Xi, . . . x ni , Bob gener- 
ates ri2 message vectors, yi, . . . , y„ 2 . These are sent to Alice 
using the ri2 backward links. Again, Eve may observe and 
replace some of the messages. Let the n-z messages received 
by Alice be denoted yi , . . . y n2 . 



If Eve can attack every link, it is impossible for Alice and 
Bob to agree on a key. However there are many scenarios of 
interest where it may be reasonable to assume that this is not 
possible (e.g. due to limited network access, or the use of 
special hardened links). Henceforth, we assume that Eve can 
attack at most t links in total. In other words, 



(1) 



i=l 



where djj(-) is a Hamming distortion function with 



«Mx,y) 



x = y 

1 x^y 



i.e. two distinct vectors are at distance 1, regardless of how 
many element disagree. 

After these two rounds of message exchange (forward and 
backward), Alice and Bob make independent decisions on their 
random key. Let g a and g b be their (key-)decoding functions 
respectively. A key agreement error occurs if 

# a (xi, . . . ,x„ 15 yi, . . . y„ 2 ) ^ gb(y%, ■ • ■ ,y„ 2 ,xi, . . .x ni ). 

A key agreement scheme is specified by the encoders and 
decoders used by Alice and Bob. We shall use a probabilistic 
setting. Alice's encoder E a is specified by a probability 
distribution Pr(xi, . . . , x ni ) which governs how Alice gen- 
erates the first round of messages. Bob's encoder E\> however 
is specified by a conditional distribution Pr(y 1; . . . , y„ 2 | 
xi, . . . x ?ll ) which determines how the second round of mes- 
sages should be generated after receiving the possibly cor- 
rupted messages from Alice. A key agreement scheme will 
be denoted by the tuple (m, m, n 2 , E a , E b , g ai g ) or simply 
(E a , Eb, g a , gt) if m,n!,n 2 are understood. 

Eve's attack is specified by a pair of conditional probability 
distributions 



Pr(xi, . . .x ni |xi, . . . ,x„J 



(2) 



and 



), (3) 

These distributions must satisfy the constraint ([TJ. Let 

K\ = .9a(xi,...,x I11 ,yi,...y„ 2 ) 
K 2 = g 6 (yi,...,y„ 2 ,x 1 ,...x„ 1 ). 

The probability distribution of K\ and K 2 depends on Eve's 
attacking strategy. For a given attacking strategy E, let 

H E (K 1 \K 1 = K 2 ) 

4 -^Pr(tfi = kx\K x = tf 2 )logPr(#i = fci|^i = K 2 ) 

fci 

where Pr(Ki = k x \Ki = K 2 ) is the conditional probability 
that K\ = k-y given the event that K\ = K 2 . 

Let Ae be the set of attacking strategies that Eve can choose 
(i.e. the set of pairs of conditional distributions |2]) and ([3]) 



satisfying Q). We define the key agreement rate (for a given 
key agreement scheme) as 

min H E {K X \K X ^K 2 ). 

EdA E 

III. Zero-Error Key Agreement 

The objective of zero-error key agreement is for Alice and 
Bob to generate identical keys with probability one at some 
positive rate. 

Definition 1: For given positive integers ni,n 2 ,m, the key 
rate R is called zero-error admissible if there exists a key 
agreement scheme (E a , E b , g a , g b ) such that (1) the probability 
of key agreement error is zero for all attacking strategies that 
Eve can choose and (2) R < min£ e _4 B He(K~i). The zero- 
error key agreement capacity is the supremum of all zero-error 
admissible rates. 

The natural fundamental question is: What is the zero-error 
key agreement capacity? In this paper, we will give lower 
bounds for the zero-error key agreement capacity and simple 
schemes that achieve the lower bounds. 

Theorem 1: If t > max(ni, ^2), then the zero-error key 
agreement capacity is 0. 

Proof sketch: Since t > ni,n 2 , no matter which messages 
Alice and Bob send, Eve can replace them with any other 
messages. If the probability of key agreement error is zero, 
then the key that Alice and Bob agree on must be independent 
of xi, . . . x ni and yi, . . .y n2 - As such, the agreed key can 
only be a constant. ■ 

A. Examples 

We will now develop some small examples that provide 
motivation for a general coding scheme. 

If messages can be sent only in one direction (i.e., either n\ 
or n 2 is zero), then key agreement is equivalent to transmission 
of a random key from one party to another. When messages 
can be sent in both directions, we can naively decouple the two 
rounds of message transmissions into two rounds of random 
key transmissions as follows. 

Example 1 (Direct key transmission): Suppose ri\ = n 2 = 
3 and t = 1. Let C a = {(xx,X2,X3) : xi = x 2 = X3} and let 



Pr(xi,x 2 ,x 3 ) = 



if (xi,X 2 ,X 3 ) £ C a 

otherwise. 



Since C a has minimum distance 3, no matter how Eve at- 
tacks, Bob can reconstruct xi without error. Note that, if the 
minimum distance of C a is less than 3, then Bob may fail to 
correctly reconstruct Xi. 

Similarly, let C b = {(yi,y 2 ,y3) ■ Yi = Y2 = Y3} and 



Pr(yi,y2,y3|xi,x2,x 3 ) = 



l/2 m if (yi,y 2> y 3 ) eC b 
otherwise 



for all (xi,x 2 ,x 3 ). Again, Alice can reconstruct yi without 
error, no matter how Eve attacks. Finally, Alice and Bob can 
use (xi, yi) as the common random key whose entropy is 2m. 

The above scheme essentially consists of two one-round 
key transmission schemes. The resulting key consists of two 



random parts, one generated by Alice (and sent to Bob) 
and one generated by Bob (and sent to to Alice). Despite 
its simplicity, this scheme is not optimal as shown by the 
following example. 

Example 2: Suppose n\ = n 2 = 3 and t = 1. Let C a be an 
A m (3, 2) code and 



Pr(xi,x 2 ,x 3 ) = 



l/\C a \ if (xi,x 2 ,x 3 ) € C a 







otherwise. 



Note that C a has minimum distance 2. Therefore, if Eve attacks 
one of the forward links, Bob can always detect it but not 
necessarily correct it. 

Consider the following codebooks Cj* = A TO _i(3,3) and 
^=^-1(3,1). Let 

r J (yi,y2,y3) : vl = v\ = vl = o 

n f (yi,y2,y3) : v\ = y\ = vl = 1 
Cm ~\ and (y?' m \yf> m \y^)€C* b>1 

If Bob does not detect any errors (i.e., (x1.X2.X3) e C a ), 
then 



Pr(yi,y2,y3|xi,x 2 ,x 3 ) 



i/|Ch, | if (yi,y2,y3) e c h ,Q 



otherwise. 
Otherwise, if an error is detected, 

'l/\C bil \ if (y1.y2.y3) G C M 



Pr(yi,y2,y3|xi,x 2 ,x 3 ) = 







otherwise. 



After receiving y\, y\, y\, Alice can reconstruct y\. There- 
fore, Alice will know which codebook Bob used. It is easy to 
see that (yi,y2,y 3 ) can also be reconstructed perfectly. 

Finally, Alice and Bob agree oni(= (k a , k a , kb) such that 

• k a — y\, which indicates whether errors were detected in 
the forward links; 

• k a = if k a = 1. Otherwise, k a = (x1.x2.x3); 

• h = (y1.y2.y3)- 

It is straightforward to prove that the probability of key 
agreement error is zero and that the entropy of the key K 
is at least 

min(log |A m (3, 2)| + log |A ro _i(3,3)|,log |A TO _i(3, 1)|). 

When m is sufficiently large, the Singleton bound is tight, and 
hence the entropy of K is at least 3m — 1. 

Compared with the key agreement rate in Example [T] a 50% 
gain is achieved. 

From the above example, it is easy to see that the direct 
key transmission scheme in Example [T] is suboptimal because 
Bob did not use his received messages to estimate how many 
forward links were attacked by Eve. As a result, Bob has to 
pessimistically protect his messages, assuming that Eve can 
attack t backward links. 

Although the key agreement scheme in Example [2] may 
appear to be a modified direct key transmission scheme, there 
are some subtle differences. Using direct key transmission 



(multiple one-round key distribution sessions), the agreed key 
consists of two random parts, one from Alice and one from 
Bob. The entropy of the agreed key will be the same no matter 
how Eve attacks. On the other hand, in the scheme detailed in 
Example [2] the size of the key depends on how Eve attacks. 
For instance, if Eve attacks the forward link, then the entropy 
of the resulting key is the largest. Furthermore, in this case, 
the key is essentially solely generated by Bob. 

In this paper, we are not concerned with the source of 
randomness. However, in some other scenarios, it may be of a 
practical concern. For example, suppose that there is another 
adversary who can "observe" how Bob can generate the 
random messages (y1.y2.y3)- Then, it may cause a problem 
if that adversary will know the key completely. 

The following is another interesting example in which 
direct key transmission fails altogether, but the key agreement 
capacity is nonzero. 

Example 3 {ri\ = ?i 2 = 2 and t = I): Let C a = A m {2, 2) 
and 

Pr(xiX2)A /l/|C a | if(xi,X2)GC Q 







otherwise. 



Again, if Eve attacks the forward links, Bob can detect it but 
not correct it. 



Consider codebooks C'£ = A m _i(2,2) and 1 
A m -i(2,l). Let 

f (yi,ya) : y\ = v\ = o 
Cm ~1 mHy [ ^ m \yf m] )eC U 

n f (yi,ya) : y\ = v\ = 1 
C ^-\ ^(yf^J^eei, 

If Bob does not detect any errors (i.e., (xi,x 2 ) € C a ), then 
(l/\C b>0 \ if (yi,y 2 ) eC M 



Pr(yi,y 2 |xi,x 2 ) 



1- 



otherwise. 



Otherwise, 



Pr(yi,y2|xi,x 2 ) 



i/|C M | if(yi,y 2 )GC M 

otherwise. 



As before, we can easily show that the resulting key 
agreement capacity is at least log \C a | = m. 

B. Generalization 

We will now generalize Examples|2]and|3]to arbitrary ni, n 2 
and t. Let I — [log(t + 1)] and Sl m (d, be defined as 
follows: 



fi ro (cMl) 



log \A m (m, d)\\A m _i{n 2 , 2t + l)\ d>t + t t 
log \A m -e(ri2,2(t - ti) + 1)| otherwise. 



Theorem 2 (Inner bound): Suppose that n 2 > 2t. Then the 
zero-error key agreement capacity is at least 



max min(f2 TO (<i, 0), f2 m (d, d — t)). 



(4) 



'We do not explicitly indicate the dependency of f2 m (d,ii) on ni,ri2,t 
to simplify notations. 



Proof: Let C a be an A m (n\ , d) code and 

A J l/l C a| if ( x l> ■ ■ ■ ,X„J G C a 



Pr(x x , . . . ,x„J 







otherwise. 



Let ti be the number of forward links that Eve attacks. If 
ti < d — t, then Bob can reconstruct (xi, . . . , x ni ) perfectly. 
Otherwise, Bob can deduce that at least d — t forward links 
have been attacked by Eve. 

Any integer i between and t, can be easily represented 
using I bits. For each i, let C£ { = A m -i(n%, 2(i — i) + 1) and 



C b , 



a j (yi) 



[i, 



and (y[ 



'+l,m] 



[M] 

■■■ = Vn 2 = * 

i yn 2 ) <= 4 , 



Suppose that Bob can detect and correct errors (i.e., 
(xi, . . . , x ni ) is within a distance of d—t— 1 from a codeword 
in C a ), then he can also determine the number of forward links 
i that were attacked by Eve. Then let 

Pr(yi,---,yn a |xi,...,x 7ll ) 

= (l/\C b>i \ if (yi,...,yn 2 ) eC b>i 

[ otherwise. 

Similarly, if Bob determines that at least d — t errors occur 
in the forward links, then 

Pr(yi,...,y„ 2 |xi,...,x ni ) 

= h/\C b ,d-t\ if (yi,---,y n2 ) eC M _, 

1 otherwise. 
Let K — (k Q , k a , k b ) such that 

• k a — y[ which is the number of errors (or attacks) 
occurred in the forward links; 

• k a — if k a = d — t. Otherwise, k a = (xi, . . . , x ni ); 

• h = (yi, • • • ,y™ 2 ). 

It is straightforward to prove that K is known to both Alice 
and Bob, and the entropy of the common key K is at least 



H(K) > min Q, m (dM) 

0<ti<t 



min(n m (d, Q),Q m (d, d - t)) 



(5) 
(6) 



and the result then follows. ■ 
In above, we considered only two-round key-agreement 
schemes and obtained inner bounds on rates of the agreed key. 
We can easily extend the bounds to multi-round scenarios. 

Define Ttw, ni ..., nw ,t,m as the key agreement capacity in 
a w-round key agreement scenario in which (1) the number 
of messages that can be sent in the i fh round is m, (2) the 
maximum number of links that can be attacked by Eve is t, 
and (3) each message is a binary vector of length m. 

Theorem 3: Suppose m, . . . , n w > 2t + 1, Then for any d 
such that It > d > t, TZ w>ni! ,.. t n wt t >m is at least 



log jA m _ £ (ni, d)j + Tl w - 



l,ri2 } ...,n w ,t,m—£-i 



t^w— l,n2j" ■ ,n w ,2t — d,', 

where I = \log(t + 1)]. 



(7) 



Remark: By replacing the key agreement capacity terms 
in |7]i with their corresponding inner bounds, we can get 
inner bounds for the multi-round key agreement capacity from 
Theorems [2] and [3] 

IV. Random Errors 

In the previous section, we considered the worst case 
scenario in which no errors are allowed in key agreement. 
Even if Eve attacks links randomly, there is still a small but 
positive probability that she may choose the most damaging 
attack. In fact, in this worst case scenario, we can even assume 
that Eve has knowledge the messages sent by Alice prior to 
attack. 

We will now relax our model to allow small errors and 
assume that it is infeasible for Eve to determine which is the 
most damaging attack. More specifically, Eve can only decide 
on the number of links to be attacked in each direction, but not 
explicitly which links. We will consider the asymptotic case: 

m = Air, n.2 = A2r, and t = rr 

where r approaches infinity. Also, each link can transmit either 
zero or one (i.e., m = 1). 

Definition 2: A normalized key agreement rate R is e- 
error admissible (with respect to given Ai,A2 and r) 
if there exists a sequence of key agreement schemes 
(l,n 1 ,n 2 ,t,E a ,E b ,g a ,g b f\such that 

1) linv^oo n\jr — Ai, lim r ^ 00 ri2/r = A2 and 
linv^oo t/r = t, 

2) R < min EeAE He^Kx = K 2 )/r, 

3) The probability of key agreement failure, denoted as 
P e (l,n 1 ,n2,t,E a ,E b ,g a ,g b ), goes to zero as r goes 
to infinity. 

The normalized e-error key agreement capacity (for given 
Ai,A2 and r) is the supremum e-error admissible R. In the 
following, we will obtain a lower bound for the capacity. 

Definition 3 (Combinatorial Binary Symmetric Channel): 
A CBS(e) channel takes binary inputs and gives binary 
output. Let (Xi,...,X n ) be the n input symbols to the 
channel and (Xi,...,X n ) be the n output symbols. The 
channel inputs and outputs are related by 

(Xi, . . . , X n ) = (Xi, . . . , X n ) © (Ei, . . . , E n ), 

where (Ei,...,E n ) is a binary error vector, independent 
of the inputs and uniformly distributed over {(ei,...,e„) : 
djj{ei, . . . , e„) < ne} where e < 1/2 is a channel parameter. 

The CBS(e) channel is not memoryless, but behaves like 
a memoryless binary symmetric channel with crossover prob- 
ability e for sufficiently large n. 

Let X — {0, 1}. Consider a rate s error correcting/detecting 
code. The encoder is a mapping / : {l,...,2 ns } 1— > X n 
and the decoder is a mapping g : X n 1— * {0, 1, . . . , 2 ns } 
where decoder output zero means that the decoder fails to 
correct errors. Suppose that the transmitted codeword is f(i). 

2 The sequence of schemes are indexed by r. For notational simplicity, we 
do not indicate the dependency explicitly. 



A correction failure means that decoding output is not i and 
a detection failure means that the output is neither i nor 0. 

Clearly, the probabilities of correction and detection failures 
depend on the channel model. In this paper, we will focus on 
CBS channels. For a given error correcting/detecting code C, 
Let P e c (C,£) and P e d (C,£) be respectively the probabilities 
of correction and detection failures when the channel is a 
CBS(0 channel. 

Proposition 1 (Achiev ability): Fix £ < 1/2. Let /(£) = 1 + 
£log£+(l — £) log(l — £). For any s < /(£), we can construct 
a sequence of rate s n error correcting/detecting codes C" such 
that 



Depending on the number of forward link attacks made by 
Eve, the key agreement rate is given by 



lim inf s n > s 

i — >oo 



(8) 
(9) 



lim P e c (C"\e) = 0,for e < £ 

n — >oo 

lim P e d (C"\e) = 0,Ve (10) 

n — >oo 

Proof: The sequence of codes C n is randomly con- 
structed as follows. The proof of (|9]l and ( fTO) is straightforward 
and will be omitted. 

The encoder / is a randomly selected mapping 

/ : {l,...,2 ns } h-> X" 

such that each symbol in the codeword /(£) is independently 
and uniformly distributed over {0, 1}. 

The decoder g is a "bounded distance decoder" 

g : X n i-» {0,1,..., 2 ns }. 

For any sequence (J?x> . . . , X n ), if there exists a unique 
f(i) such that if the Hamming weight of (X%, . . . , X n ) — f(i) 
is less than n£, then the decoder output will be i. Otherwise, 
g(X 1 ,...,X n )=Q. 

m 

Proposition [T] proves the existence of error correct- 
ing/detecting codes that can correct ^-fraction of errors. We 
can use these codes to construct key agreement schemes as 
before. As a result, we obtain the following bounds on the 
e-error key agreement capacity. 

Theorem 4 (Inner bound): Assume r/A 2 < 1/2. Let 7 
v — Ai£)/A 2 . Then the key agreement rate is at least 

max ( A 2 J(7/A 2 ),Ai7(0 + A 2 J(t/A 2 )) ). (11) 
£<r/Ai 

Proof: Let rv be the number of links attacked in the 
forward direction. By Proposition [T] for sufficiently large r, 
there exists a code at rate close to /(£) which with high 
probability can correct any m£ = rAi^'s errors and detect 
any number of errors. 

That T/A2 < 1/2 guarantees that Bob can successfully 
inform Alice whether he can correctly decode his received 
message. If Bob's decoder can correct the errors, then he 
and Alice both know (X\, . . . ,X ni ). Otherwise, Bob can 
determine that Eve has attacked at least rAi£ links and that 
she can attack at most = rr — rAi£ of backward links. 
Hence Bob can transmit rA 2 /(7 / A 2 ) bits of random key to 
Alice. 



Ai/(0 + A 2 /(r/A 2 ) if v < Ai£ 



A 2 /(7/A 2 ) 



if v > Ai£ 



Alice and Bob can agree on a common random key at rate 
no less than 



max min v) 

C ,<T I 'Ai 0<V<T 



(12) 



By monotonicity of the function /(•), we can further reduce 
( |T2| > to (jTTJ and hence the result follows. ■ 
Note: If both Alice and Bob share a small private key which 
is unknown by Eve, they can use the private key in a way 
so that any attacks made by Eve are no better than a random 
attack. 

V. Conclusion 

In this paper, we consider a key (or seed) agreement problem 
in which two parties aim to agree on a key by exchanging 
messages in the presence of adversarial tampering. We showed 
that naively decoupling the problem into two key transmission 
problems is suboptimal. We proposed an improved scheme and 
obtained lower bounds on the key generation rates. Although 
the proposed scheme is very simple, it can significantly 
improve the key agreement rate. Finally, we extended the 
proposed schemes and bounds to a weaker scenario in which 
the adversary has a limited computational power and cannot 
select the most damaging attacks. 
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